puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

2020-03-1000:00:00

vuxml.freebsd.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.068 Low

EPSS

Percentile

93.8%

JSON

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.
PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchpuppetdb5< 5.2.13UNKNOWN
FreeBSDanynoarchpuppetdb6< 6.9.1UNKNOWN
FreeBSDanynoarchpuppetserver5< 5.3.12UNKNOWN
FreeBSDanynoarchpuppetserver6< 6.9.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	puppetdb5	< 5.2.13	UNKNOWN
FreeBSD	any	noarch	puppetdb6	< 6.9.1	UNKNOWN
FreeBSD	any	noarch	puppetserver5	< 5.3.12	UNKNOWN
FreeBSD	any	noarch	puppetserver6	< 6.9.2	UNKNOWN